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ICO Third Party Collaboration Policy 


1.1 This policy applies to all employees of the Information Commissioner’s 
Office. Where the Policy refers to ‘the ICO’, it refers to the 
organisation as a whole, the Information Commissioner and individual 
staff. 

1.2 The ICO is bound under the DPA 2018 and UK GDPR to engage in 


many forms of collaboration. These are not within the scope of this 
policy. Also, requests for ICO speakers at events are not within the 
scope of this policy. This policy should only be used in application to 
collaboration which the ICO is entering into voluntarily, rather than as 
a requirement of its regulatory role. 


2.1 


2. Introduction 


This policy provides guidance on how to deal with requests for 
collaboration with a third party. Third parties are all organisations and 
individuals outside the ICO. Such involvement by the ICO may give 
the impression that it endorses the third party. This may, in turn, give 
the impression that the organisation is a recognised authority on 
information rights, openness of public bodies or data privacy. The ICO 
needs to be very careful in managing this perception. 


2.2 


The key role of the ICO is to "uphold information rights in the public 
interest, promoting openness by public bodies and data privacy for 
individuals." 


2.3 


You should bear this role in mind when considering issues in relation 
to this policy. 


3.1 


3. Support and Collaboration 


There are many forms of collaboration which the ICO may engage in 
with third parties. The guiding principle is that any work which the ICO 
engages in which may potentially give the impression to the public 
that it in any way endorses a third party should be considered in the 
light of this policy. 


4.1 


4. Issues to consider when deciding on collaboration 


The issues to consider when deciding on the ICO’s engagement in 
collaboration with third parties will vary for each request. 


ICO Third Party Collaboration Policy 


V1.2 


Page 2 of 9 


4.2 


A specific issue which should be considered in every case is whether 
you are aware that the ICO is engaged in or considering enforcement 
action against the third party. You are not expected to be aware of all 
such instances, but where you are aware you should act accordingly: 
in these circumstances, it will not usually be appropriate for the ICO to 
collaborate with that third party. However, it may be appropriate if the 
support is specifically designed to address the cause of the ICO’s 


investigation or enforcement. 


4.3 


Consideration should also be given as to whether the third party has 
paid the Data Protection Fee, if they are required to do so. This should 
be checked before agreeing to collaborate with a third party. 


4.4 


Where we are taking part in collaboration which involves a number of 
third parties, the considerations set out below should be applied to all 
organisations involved, not just the organiser. 


4.4 


Examples of further potential issues are set out below: 


Issue 


Consideration 


Is the third party a commercial 
(private sector) or non- 
commercial (public sector or 
charity) organisation? Where it is 
an individual, this should 
generally be considered a 
commercial organisation. 


It will usually be easier to 
collaborate with non-commercial 
third parties, as typically the goals 
of these third parties is more 
likely to be aligned with that of 
the ICO. 


Is the type of collaboration 
proposed intrinsic to the 
document/event (e.g. inclusion of 
the ICO logo on a document or 
making a key-note speech) or 
incidental to it (e.g. a request for 
a comment on a document, or 
attendance at an event with no 
set role)? 


Where the ICO’s support is 
intrinsic to the document/event, it 
is reasonable for the ICO to 
request more control over the 
final form of the document/event. 
In many cases (such as the use of 
the ICO logo on an information 
booklet) it would be reasonable 
for the ICO to review the full final 
text of the report before the logo 
is provided. 


There is a significant reputational 
risk if the ICO lends its voice to 
inaccurate information. 


What is the reputation of the third 
party, both generally and 
particularly in relation to 
information rights? 


It will be easier for the ICO to 
collaborate with a third party 
which has a respected reputation 
either in information rights or 
their respective field. 
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What other third parties are being | Related to the above, the 

asked for collaboration? perception of other third parties 
who are involved may create 
reputational risks. For example, 
including the ICO’s logo in an 
information booklet alongside that 
of a third party against whom the 
ICO is currently considering or 
engaged in enforcement action. 
What is the audience? The ICO will be more able to 
collaborate with third parties if the 
audience of the work is focused 
around promoting information 


rights. 
Will the publicity from a proposed | Collaboration will be more 
collaboration promote the ICO’s beneficial when it ensures that an 
priorities? audience is talking about an issue 


which the ICO wishes to promote. 
Is the involvement requested of The ICO should be careful not to 


the ICO relevant to the ICO’s overstep its role. There may be 
role? Does it give the impression other organisations who are more 
that the ICO has a role that it appropriately placed to provide 
does, in fact, not? the collaboration requested. If you 


have any concerns about whether 
any collaboration may be beyond 
the natural borders of the ICO’s 
work, you should consult with a 
Head of Department. 


4.5 This list of potential issues and considerations is not intended to be 
exhaustive. You will need to use your own judgement to identify the 
potential issues you will need to consider and the implications of those 
issues. You may wish to consult with a range of colleagues to identify 
these issues, particularly Corporate Communications and Private 
Office. 


4.6 You should take a risk-based approach to considering whether to 
engage with a third party. In some instances, it may be worth taking 
risks, in others it may not. You should take direction from the 
organisation’s Risk Appetite statement, as set out within the Risk 
Register. 


5. Making decisions 
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5.1 


When making decisions regarding collaboration with third parties, it 
may be helpful to complete the form at Annex 1 of this policy. This is 
not a requirement. However, if you do not complete the form, you 
should still at least review it so that you are aware of the potential 
issues which you will need to consider. 


5.2 


The form at Annex 1 includes consulting with peers within the 
organisation. This could be with a peer at a similar level as you or 
someone in your line management chain. The role of the peer review 
process is to ensure that you have considered all aspects of the 
proposed decision and provide an independent assessment of whether 
this is a reasonable decision. 


5.3 


You will always remain the decision maker. However, once you have 
made the decision, if you have completed the form, this should be 
sent to Corporate Governance for storage. 


6. Responsibilities 


remains appropriate and up to date. 


6.1 All staff are responsible for ensuring that due consideration is given to 
the issues set out within this policy. 
6.2 Corporate Governance is responsible for ensuring that this policy 
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Annex 1 - Third Party Collaboration Policy — decision-making form 


Summary information 


Decision maker 


[Put your name and title here] 


organisation 


Name of [Put the name of the organisation(s) who have 
organisation requested ICO collaboration here] 
involved 
Nature of [Provide a summary of the collaboration requested 
collaboration here. This should be enough detail to give the 
requested independent peer sufficient knowledge to assess the 
proposal. ] 

Information about the organisation 

Type of [Consider the type of organisation - history, role, 


industry, their public communications etc. You should 
also consider the type of organisation: commercial 
organisation, public sector, trade body, industry group, 
charity and how they operate. Generally speaking, it will 
usually be easier to approve collaboration with non- 
commercial third parties. Where the collaboration is 
with an individual you should usually assumed that this 
is a commercial enterprise, unless there is strong 
evidence otherwise. Where the collaboration is with a 
group of mixed public and private-sector organisations 
(e.g. an advisory board), you can usually consider this 
as a public sector organisation] 


Overall 
reputation 


[Consider a summary of the overall reputation of the 
organisation, and the risks and benefits of collaboration 
with them as a result of this reputation. This will usually 
build on the row above. ] 


Information 
rights reputation 


[Consider a summary of the reputation of the 
organisation specifically in relation to information rights, 
and the risks and benefits of collaboration with them as 
a result of this reputation. ] 


Data protection 
fee 


[Has the organisation paid the data protection fee - yes 
or no (or exempt). You will need to consult with the 
Data Protection Fees Group to confirm this. If the 
answer is no, you should explain to the organisation 
that we would not usually collaborate until they have 
paid the data protection fee. ] 
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ICO enforcement 
or investigations 


[Is there any ICO enforcement action or investigation 
against the organisation in question? If yes, you will 
need some details. This could include recent past 
enforcement action, ongoing investigations, or 
investigations currently being considered. You will need 
to check with the Private Office of the Chief Regulatory 
Officer to confirm this. In most cases, if there has been 
recent enforcement action or investigation, it will be 
difficult to collaborate with them, although there may be 
circumstances where exceptions can be made. ] 


Relationship 
management 
service level 


[What level is the organisation in the relationship 
management service? You can check with this service to 
confirm what level the organisation in question is. In 
some circumstances, the organisation itself may be 
outside the relationship management service levels, but 
organisations within the audience for the collaboration 
are. | 


Risk and benefits of collaboration 


Purpose of 
collaboration 


[Why does the organisation want to collaborate with the 
ICO? Why would the ICO want to collaborate with the 
organisation? ] 


Audience 


[What is the target audience for the collaboration? What 
are the risks and benefits of using this collaboration to 
engage with this audience? This is likely to involve 
considering what other engagement the ICO is doing 
with this sort of audience. You may need to consult with 
Corporate Communications to get information of this. ] 


Benefits to the 
ICO 


[How will the collaboration contribute to the ICO’s work 
(such as contributions towards completing goals in the 
IRSP or various supporting strategies)? It will be easier 
to justify devoting resources to collaboration, or take 
risks in this area, if the collaboration will contribute to 
key areas of the ICO’s work. ] 


Degree of 
control 


How much control the ICO will have over the 
collaboration? What are the risks or benefits of this? 
Generally speaking, where the ICO has more control 
over the event or product (such as ability to review and 
approve any final documents) it will be easier to agree 


to collaborate) ] 
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ICO remit 


[Is the collaboration within the ICO’s regulatory remit? 
It will be easier to collaborate in areas where the ICO is 
clearly the sole regulator for that space. There may be 
times where the ICO is asked to collaborate in areas 
which, while within the ICO’s remit, may also overlap on 
to the remit of other regulators (e.g. use of personal 
data in elections). In these instances you may need to 
consider the risks and benefits of such collaboration, 
including whether greater benefits could be gained by 
involving the relevant regulator/organisation in the 
collaboration. ] 


Other third 
parties likely to 
be engaged at 
outset or in 
future 


[If there are other third parties involved beyond the one 
you are directly being asked to collaborate with, you 
should also consider the impact of potentially being 
seen to collaborate with them. For example, if the 
collaboration is to provide use of the ICO logo, how will 
this look alongside logos of other companies endorsing 
the product/event. Or if we sit on an advisory board, 
who are the other members and what are the potential 
issues? ] 


Resourcing 
requirements 


[What are the resourcing requirements to take part in 
the collaboration? This should include financial 
considerations and staffing resources, but there may be 
a range of other relevant areas. This is also an 
opportunity to consider any work which would need to 
be stood down or delayed as a result of the resource 
implications of this collaboration. ] 


Summary of 
other risks 


[Any other risks of doing the collaboration which has 
not been drawn out so far within this form] 


Summary of 
other benefits 


[Any other benefits of doing the collaboration which has 
not been drawn out so far within this form] 


Recommendation 


Recommendation 


[Your recommendation of whether we should take part 


peer reviewer(s) 


of decision in the collaboration, and the key reasons for and 
maker against. ] 

Peer review 
Independent [Put the name and job titles of the people who are 


asked to peer review this proposed collaboration. In the 
first instance, this should be a person who is at the 
same grade as you, independent from the area of work 
in which the collaboration is requested, but able to 
make a reasonable assessment of the pros and cons of 
the proposed collaboration. Where this is below Head of 
Department level, you may also wish to consult with a 
Head of Department (this could be your own 
Department Head). ] 
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Peer reviewer 
findings 


[The independent peer reviewer(s) can put any findings 
or thoughts about the potential collaboration here. ] 


Peer reviewer 
recommendation 


[The independent peer reviewer(s) can put their 
recommendation here. This would usually be either 
“proceed” or “do not proceed”, but there may be times 
when something more nuanced is needed - e.g. 
proceed subject to some limitations] 


Decision-making 


Decision 


[The decision maker can consider the recommendation 
of the peer review and confirm their decision here. ] 


Date of decision 


[The date the decision has been made. ] 


Date sent to 
Corporate 
Governance 


[The date this form was sent to Corporate Governance. ] 
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